Anton Security Tip of the Week #8: What Just Changed?

by Anton Chuvakin

Following the now old :-) "tradition" of posting a security tip of the appropriate time interval (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.

So, Anton Security Tip of the Day #8: What Just Changed?

Let's close our eyes for a second and dive deep into the bizarre and menacing world of a Windows event log. As I mentioned before, massive Windows server log collection got a jump start in recent years due to wide availability of agentless Windows log collection tools, such as Project LASSO. (yes, many people think that agents suck event when they are useful - weird, isn't it?)

Windows event logs, the "Big Three" of System, Security and Application as well as other logs, share a lot of contradicting properties: way too much detail in some areas and missing critical info in others, consistent and thoughtful design here and sheer stupidity there, nice structured data sometimes and confusing mumbo-jumbo in other cases. And the universe of the event log is never static, the whole thing flows and morphs with each Windows release and at time with each update. New event IDs are being created, changed and loaded with new roles and new info.

In this tip, we will look at some fun Windows log entries and explain their meaning for your organization as well as cover what you should do if you encounter them. Given that the realm of Windows event log is so huge, we will start from looking at events that indicate changes of different kinds, mostly configuration and user account. So, what just changed?

I. "Computer Account Deleted" or "User Account Deleted": obviously, service or user account was deleted. Who did it? When? Why? Answer all the questions above and then you can go back to sleep - or to your incident response plan :-)

III. "Computer Account Changed" or "User Account Changed": similarly, changes to accounts are reflected in the events containing this text. Account changes do include privilege level changes that are often of particular interest.

At this stage, it might be appropriate to ask: why aren't we going by Windows event ID to identify the above events of interest, but instead choose to use the above text blurbs? Well, up to Vista, Windows event IDs often aren't :-) Meaning that they don't identify the event sufficiently. Sometimes, they are overloaded and the same ID applies to very different things. Sometimes, the opposite happens - same event, different IDs (e.g. a lot of login/logout stuff)

IV. "Policy Change": might mean almost anything on a Windows system. Thus, we can't really tell you much; you need to read the event to see what actually changed (if anything!)

V. "The system time was changed" might not matter that much, but if you are looking to use your logs as forensic evidence (i.e. use them in court) you might want to track all the time changes since they will affect the log timestamps on the server where time changed.

VI. "The following schema object was modified" oooh, don't you love Active Directory! This indicates that some of the AD objects changed - fortunately, the object name will be in the same event.

Enough for today! Windows logging makes most everyone's head hurt (unless you are Eric or Randy, I guess :-))

So, to conclude, make sure that you collect Windows event logs and analyze them on an ongoing basis, preferably using your log management system.